Napkin Technologies', “Business Technology Express” (BTE) Enables employers and clients take technical and business thoughts, ideas, concepts and plans from the back of a napkin to a strategy and a reality!

Tag: vpn

This is the final installment in my four-part series discussing four zones of Mobile Success. The first post discussed the enterprise zone: the enterprise back end, including mail servers, messaging solution and directory services. The second zone is the enterprisesecurity zoneconsisting of firewalls, VPN’s and reverse proxy. The third zone I covered was the Internet. All of these function as points of success or failure in mobility.

The final zone is the device user zone, which is probably the zone most prone to failures. The zone consists of the user, device, applications and the local wireless carrier. For many reasons, new devices, replacement devices, provisioning, re-provisioning with the carrier messaging system and enterprise often result in a issue and call to the help-desk. The vast majority of interactions occur in this zone, and the more interactions there are, the more opportunity for errors.

From part three of the series, the Internet Zone; data travels the course of the wireless carrier’s wire, fiber, switches and routers until it reaches a wireless tower associated with a device. Then the tower transmits the data to the device. Because a mobile device is an “always on” device, the associated tower can change and must be maintained throughout the day as you travel to different locations.

In short, the meeting notice I mentioned in part 3 leaves the enterprise and finds the first wired network on-ramp to a devices carrier, traverses their network to the tower near the device and then wirelessly sends the meeting notice to the device.

How does all this magic happen? When the phone or tablet is turned on, it looks for a tower to associate with. Once that happens the carrier notes that user Juanita Doe’s device can communicate through tower XYZ, regardless of where a message traffic originates.

As for points of failure, any of the following could apply at the device level:

Failing device hardware

Battery that’s low or spent

Device out of coverage, weak or no signal

First time use or replacement, not provisioned or properly provisioned with the carrier

First time use or replacement, not provisioned or properly provisioned with the enterprise

Encryption or decryption failures, expired keys

Incorrect password

Corrupt application service books, policies or certificates on the device

Incompatible OS level

Below we have the complete picture of the basic mobile enterprise network again. As demonstrated by the discussion in this series, so much technology has to go right for the basics of wireless and mobile applications to work. It takes even more for an enterprise wireless strategy to be effective and successful. For a strategy to be effective it must include mobile management processes, such as procedures and tools including predictive analytics to detect problems, alert the enterprise administrators and help isolate any issues or failures in the enterprise mobile ecosystem.

As mentioned in Part 1 of the series, As an Architect in Mobility for over 17 years now, I have found this diagram and discussion to be extremely valuable tools.

I believe the 1st incarnation of this was in 2003 when an IBM colleague (Scott Symes) and I had the blackeye’s as we experienced the effects of issues in different zones. It was BlackBerry at the time, hence we gave it the nickname of “BlackBerry Blackeye” chart. But, as other technologies have come to market, the essentials are still true today regardless of device manufacturer, operating system or application. The diagram has been updated and expanded reflect some of these changes as Android, IOS Devices, Messaging, Monitoring and MDM/EMM (Airwatch, IBM/Fiberlink, BlackBerry/Good, MobileIron, Tangoe, Zenprise, etc.) have come along. Others have disappeared or been consolidated. However, the fundamental issues and the concepts remain constant. There are many points of success and failure in a Mobile enterprise infrastructure.

A well designed, planned and implemented strategies, infrastructures and applications will prevent lost sales due to abandoned carts, increase customer loyalty and repeat use. Will increase employee productivity and prevent lost investment in the failure of application adoption

In the simplest of terms, success equals good high quality uninterrupted service. Applications that consider the diverse screen real estate and user interaction. Unresponsiveness due to back-end servers, load balancing or firewall issues, internet network congestion will be seen as the fault of and blamed on the application.

Mobile success, like beauty, is in the eye of the beholder or in this case the user. Therefore, the success of a mobile enterprise infrastructure and whether or not you get a “black-eye” depends on how well these points of failure are understood and managed.

It’s my hope this series, revised from original publication at IBM Mobile Insights, has been and will be helpful to you. Please leave comments below or contact me on LinkedIn.

Internet

This series of articles describe the four zones of success or failure (points of failure) in an end-to-end mobile enterprise infrastructure. In the first part I discussed the enterprise zone—the enterprise back-end, including mail servers, messaging solution and directory services. In the second part I covered the enterprise security zone, consisting of firewalls, virtual private networks (VPNs) and reverse proxy.

The third zone in the journey is the zone where the enterprise has absolutely no control, the Internet zone! The Internet zone stretches out, encircling the globe, a mysterious cloud with an army of routers, switches, wires, fiber and wireless carriers that provide the infrastructure and plumbing to carry your data packets from end to end. It’s the big hop between your enterprise and devices.

Within the Internet zone are two key add-ons: push notification services and network operations centers.

Network operations center (NOC): Some of the mobile enterprise solutions make use of an NOC concept. The two most notable are BlackBerry and Good Technology. In these solutions all traffic related to their solution passes through the NOC. This has the advantage that the enterprise’s security zone only needs firewall rules to the trusted NOC. The NOC integrates all communications from devices on the various carrier networks.

Like any other link, a broken link affects the chain. However, the NOCs are highly redundant, fault-tolerant configurations that are rarely down. They are so reliable that when an incident occurs the disruption often makes the evening news. As far as point of failure, it is far more likely that your local network connection to the NOC will fail rather than the NOC itself.

The second to last leg of the Internet zone is the wireless carriers (that is if the device is not WiFi connected). Interestingly enough 99 percent of the path of a meeting notice going from server to wireless device is not over wireless. The notice will follow the wired or fiber connections of the Internet and wireless carrier until the meeting notice hits the cell tower nearest the intended device. Wireless carriers have a vast array of switches, routers and wired or fiber networks before anything goes wireless.

Once again, any of these elements can create a point of failure in the communication path. The user perception will be that the mobile device or application is at fault and failing again. As in the first two zones, some monitoring and mobile device management (MDM) or Enterprise Mobility solutions provide tools to help determine these issues.

2017 Update: Today various Mobile analytics tools are available to assist in the identification of a failing node in the network, point of failure. Don’t let the term analytics put you off. Often significant data and analysis can be done with just a few lines of code and the tool will do the heavy lifting. Please refer to my article Demystifying Analytics and a short video example

The next and final zone in the series will be the user zone.

I hope this was helpful, Please leave comments below or contact me on Linkedinand stay tuned to finish out the series republication.

The Security Zone

In my initial article, I introduced the idea of four zones of a mobile enterprise network: Enterprise, Security, Internet, and User zones. All four areas contribute to the success or failure of a mobile enterprise, and all must be working properly in order to ensure success. In the first post we discussed the enterprise zone, consisting of the enterprise back end—mail, messaging solution (example) and directory services as points of success or failure in mobility. In this second post of the series, we’ll talk about security.

The enterprise security zone is the next zone of focus; it is still within the control of the enterprise but not of the typical mobility service team. The security zone is typically set up and managed by the enterprise networking team.

The enterprise security zone’s intent is that networking, server and application access behind the firewall is “Private”. However, since is Internet connected for employees and customers “Privacy” is “Virtual” and the zones purpose is create a secure “Gateway” to ensure corporate network access to is only done by those allowed. The Security Zone is typically made up of routers, switches, proxy’s, anti-spam or virus and other networking devices to create an enterprise network security firewall directly in front of the back-end enterprise infrastructure or network. The zone often includes a second firewall directly attached and facing the Internet. If you have dual firewalls in the zone it is called a demilitarized zone (DMZ). BlueCoat Products is a major supplier of such devices and appliances.

Depending on the mobility solution, there may be other servers sandwiched between the two firewalls. This diagram simply shows a Virtual Private Network (VPN) and a reverse proxy server. The VPN allows secure administration, browsing and mobile application access. The reverse proxy can broker requests so that outside entities only talk to the proxy and never actually have access to an infrastructure server.

Often existing servers are used for mobility solutions by updating the settings, ports and rules based on the inputs of the mobility team specific to the solution selected.

The enterprise security zone is a key, complex area. Typically the internal firewall is set up only to allow traffic from the IP addresses of the proxy and VPN to access the specific IP of back-end servers such as messaging, and only over specific ports. Messaging and back-end servers communicate over specific port numbers that vary from application to application. Similarly, the front-end firewall is the initial filter restricting all traffic to the enterprise, including to mobile devices and applications.

This can be difficult and confusing to get correct initially. Many applications use and require ports not documented in materials or not easily identified. It is typically a “set and forget” procedure to establish but still requires diligence as new network, server infrastructure or other changes requiring updates to the firewall may affect existing ports and rules.

If there is a mistake in updating ports and rules it can create a point of failure in the communication path. The user perception will be that the mobile device or application is at fault. The firewalls and security zone are normally managed by Enterprise Networking team. Separated from Mobility the only the Networking team has access to security dashboards, tools, controls and ability to update setting. Obscured from this data mobility teams to isolate messaging issues due to an issue within the security zone. Some monitoring and mobile device management (MDM) solutions provide tools to help determine a firewall issue.

I’m not really a firewall and security guy, My experience was more at the Physical layer network in my early career with IBM. Such as, which pins on the connectors perform which functions and how data packets flow across the network. But Feel free to share your thoughts or questions. A good deal of network and security information can be found at Infrastructure Security Services .

In the first two zones discussed the Enterprise has complete control on what and how much to implement to ensure Success or Failure, load balancers, fail-over or cluster servers. In Security, firewalls, proxy’s, devices and network appliances.

In my next next post of the “four zones” series, I’ll begin to discuss the last two zones where the enterprise has “no direct control”, starting with the Internet zone.